sonarqube-mcp

sonarqube-mcp

MCP server that exposes SonarQube data as AI agent tools, enabling project discovery, quality gates, measures, issues, hotspots, rule explanations, source code, and raw API access.

Category
Visit Server

README

sonarqube-mcp

An MCP server that exposes SonarQube data as AI agent tools.

Dogfooding: this project is checked via its own sonar_analysis_status tool.

Recommended to wire per-project via .mcp.json or opencode.jsonc in the project root — different projects have different SonarQube project keys, URLs, and tokens.

Quick start

{
  "mcp": {
    "sonarqube": {
      "type": "local",
      "command": ["npx", "-y", "github:metalralf/sonarqube-mcp"],
      "enabled": true,
      "environment": {
        "SONARQUBE_URL": "http://localhost:9000",
        "SONARQUBE_TOKEN": "squ_...",
        "SONARQUBE_PROJECT": "my_project"
      }
    }
  }
}

Tools

Tool Purpose
sonar_search_projects Discover project keys
sonar_quality_gate Gate pass/fail + failing conditions
sonar_measures Bugs, smells, coverage, ratings, ncloc, dup
sonar_issues Open issues sorted by severity
sonar_hotspots Security hotspots (needs user token)
sonar_rule Explain a rule (why an issue fired)
sonar_source View flagged source lines
sonar_analysis_status Check if a project has been analyzed, with next steps
sonar_setup_scanner Install sonar-scanner as a devDependency (detects pnpm/yarn/npm)
sonar_run_analysis Run sonar-scanner analysis on the project
sonar_raw Escape hatch — any GET endpoint

For Claude Code or other MCP clients, copy .mcp.json.example to .mcp.json in your project root:

{
  "mcp": {
    "sonarqube": {
      "type": "local",
      "command": ["npx", "-y", "github:metalralf/sonarqube-mcp"],
      "enabled": true,
      "environment": {
        "SONARQUBE_URL": "http://localhost:9000",
        "SONARQUBE_TOKEN": "squ_...",
        "SONARQUBE_PROJECT": "my_project"
      }
    }
  }
}

For opencode, copy opencode.jsonc.example to opencode.jsonc in your project root:

{
  "$schema": "https://opencode.ai/config.json",
  "mcp": {
    "sonarqube": {
      "type": "local",
      "command": ["npx", "-y", "github:metalralf/sonarqube-mcp"],
      "enabled": true,
      "environment": {
        "SONARQUBE_URL": "http://localhost:9000",
        "SONARQUBE_TOKEN": "squ_...",
        "SONARQUBE_PROJECT": "my_project"
      }
    }
  }
}

Setting up SonarQube locally

Spin up with Docker:

docker run -d --name sonarqube -p 9000:9000 sonarqube:community

Open http://localhost:9000, log in with admin/admin, change the password, and generate a user token (squ_...).

Install the scanner (one-time):

pnpm add -D sonar-scanner

Create a sonar-project.properties in your project root with at minimum:

sonar.host.url=http://localhost:9000
sonar.projectKey=my_project
sonar.projectName=My Project
sonar.sources=src
sonar.javascript.lcov.reportPaths=coverage/lcov.info

Then run:

sonar-scanner -Dsonar.token=squ_...

For inline IDE feedback, install SonarLint in your editor and bind it to your local SonarQube instance.

Configuration

Env var Description
SONARQUBE_URL SonarQube instance base URL
SONARQUBE_TOKEN Auth token
SONARQUBE_PROJECT Default project key
SONARQUBE_ORGANIZATION SonarCloud org key
SONARQUBE_AUTH_SCHEME basic (default) or bearer

Agent-driven analysis

The MCP tools can handle the full analysis flow. Ask your agent to:

  1. sonar_setup_scanner — Installs sonar-scanner in your project
  2. Generate coverage — Run npm run coverage (requires c8 or similar)
  3. sonar_run_analysis — Runs the scanner and pushes results to SonarQube

Or manually, copy sonar-project.properties.example to sonar-project.properties and run:

pnpm exec sonar-scanner -Dsonar.token=squ_...

Agent usage guidelines

When acting as an AI agent with these tools available, follow this order:

  1. sonar_analysis_status — first, check if the project has ever been analyzed. If NOT_FOUND or NOT_ANALYZED, guide the user to run sonar_setup_scanner + sonar_run_analysis.
  2. sonar_quality_gate — check if the project passes its quality gate. If ERROR, inspect failing conditions to understand what's blocking.
  3. sonar_measures — get the high-level metrics (coverage, bugs, smells, ratings).
  4. sonar_issues — drill into specific issues, filtered by severity or type. Start with CRITICAL/BLOCKER.
  5. sonar_rule — when you find an issue you don't understand, look up the rule for a plain-English explanation.
  6. sonar_source — view the flagged source code around an issue to understand the context.
  7. sonar_hotspots — review security hotspots (only works with squ_ user tokens).

If analysis data is missing or the project isn't even on the server, prompt the user to run:

# Install scanner
npx sonar_setup_scanner or use the tool

# Generate coverage
npx c8 node --test

# Run analysis
npx sonar_run_analysis

Or if the tools are available, let the agent orchestrate the whole flow automatically.

Token tip: If sonar_hotspots returns a 403, tell the user they need a user token (squ_...), not an analysis token. The user token can do everything the analysis token can plus hotspots.

Token types

Type Prefix Hotspots?
User token squ_
Project analysis sqp_ ❌ 403
Global analysis sqa_ ❌ 403

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured